By Michael Vaughn

Splunk .conf2016 Recap: Actionable Cybersecurity through Adaptive Response

The latest and greatest from Splunk

Last week I attended the annual Splunk conference in the great sunshine state – Florida. The Orlando-based event allowed for Splunkers from around the world to acquaint themselves with the latest and greatest offerings from Splunk. Although there were an array of fun activities throughout the week, it was clear that attendees were there to learn. The announcement of Splunk’s security-centric Adaptive Response initiative was well-received and just so happens to integrate quite nicely with Ziften’s endpoint solution.

In particular, the “Transforming Security” Keynote Session put on by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, demonstrated the power of Splunk’s new Adaptive Response interface to thousands of attendees.

In the clip below taken from that Keynote, Monzy Merza exemplifies how critical data provided by a Ziften agent can also be used to enact bi-directional functionality from Splunk by sending instructional logic back to the Ziften agent to take immediate actions on a compromised endpoint. Monzy was able to successfully identify a compromised Linux server and remove it off the live network for further forensic investigation. By not only providing critical security data to the Splunk instance, but also allowing the user to remain on the same interface to take operational and security actions, the Ziften endpoint agent enables users to bi-directionally utilize Splunk’s powerful framework to take instant action across all operating systems in an exacting manner. After the talks our booth was swamped with demos and extremely interesting conversations regarding operations and security.


Take a look at a 3 minute Monzy highlight from the Keynote:



Over the weekend I was able to process the wide array of technical discussions I had with hundreds of brilliant people in our booth at .conf. One of the funny things I discovered — which no one would openly admit unless I pulled it out of them — is that the majority of us are beginner-to-intermediate SPL(Splunk Processing Language) users. I also observed the obvious: incident response was the main focus of this year’s event.

However, many people use Ziften for Splunk for a variety of things, such as operations and application management, network monitoring, and user behavior modeling. In an attempt to illuminate the broad functionality of our Splunk App, here’s a taste of what folks at .conf2016 loved most about Ziften for Splunk:

1) It’s fantastic for Enterprise Security.
a. Generalized platform for digesting real-time data and taking immediate action
b. Autotomizing remediation from a wide scope of indicators of comprise

2) IT Operations love us.
a. Systems Tracking, Hardware Lifecycle, Resource Management
b. Application Management – Compliance, License Rationalization, Vulnerabilities

3) Network Monitoring with ZFlow is a game changer.
a. ZFlow ties netflow with binary, user and system data – in a single Splunk SPL entry
b. Do I need to say more here? This is the right Holy Grail from Indiana Jones, folks!

4) Our User Behavior Modeling goes beyond just alerts.
a. This could be tied back under IT Operations but it’s becoming its own beast
b. Ziften’s tracking of software usage, logins, elevated binaries, timestamps, etc is readily viewable in Splunk
c. Ziften provides a free Security Centric Splunk bundle, but we convert all of the data we collect from each endpoint to Splunk CIM language – Not just our ‘Alerts’

Ultimately, using a single Splunk Adaptive Response interface to manage a multitude of tools within your environment is what helps build a strong enterprise fabric for your company – one in which operations, security and network teams more fluidly overlap. Make better decisions, faster. Find out for yourself with our free 30 day trial of Ziften for Splunk!

Get the General Here